This past weekend at the Devsigner Conference held in Portland, Oregon, Dylan Tack gave an excellent presentation entitled “Taking control of the Browser Security Model”:
Since the birth of the web, the browser security model has remained nearly static. Recent evolutions make it possible for site operators to fine-tune the security model, and enforce mandatory access controls. This session will focus on Content-Security-Policy, and other browser security features like Strict Transport Security and Public Key Pins.
47% of all web applications have a cross-site-scripting vulnerability, and this potential security flaw ranks in the top three classes of all vulnerabilities. [ White Hat Security, 2015 Website Security Statistics Report ]
A Content Security Policy is a systematic way to block these attacks, by whitelisting allowed sources of script, style, and other resources. The holy grail – blocking “unsafe-inline” code – offers the strongest defense, but can be a big surprise for front-end developers when inline scripts and styles stop working!
If you are developing for the web you need to take a look at his slide deck. If you have any questions, feel free to let let me know.
Consolidated Metco, a company located in Vancouver, Washington is looking for an IT Security & Compliance Manager. Here are the job details:
Good luck and let me know if you apply for the job 😉
A few months ago I re-opened my professional consultancy and here’s what I have to offer companies and executives:
- Provide an honest assessment of your information technology operation
- Offer executives a “plain English” explanation of technology
- Personalized executive technology coaching and training
- Help you answer the question “IT tells me everything is perfect but is it really?”
- Offer you the cold hard facts about social media
- Provide opinions and constructive feedback for new software and hardware initiatives
- Help you learn more about the “cloud”, its benefits and how it can be implemented
- Assist you in determining if your company’s data is secure
- Provide you a motivated and expert speaker for company events and conferences
Here’s a partial list of the companies I have and continue to work with:
- US Department of Agriculture
- Washington State Department of Utilities and Transportation
- Social Security Administration
- Vulture Street Innovation
- Systems Advisory Services
- Environmental Protection Agency
- TNT Shipping Services
- Pricewaterhouse Coopers
- Honda Research
- EPIC Aviation
While growing a solution works very well for discovering what works and what doesn’t, it hardly leads to a consistent and easy to apply programming model. This is especially true for security: where ideally the simplest thing that works is also the most secure, it is far too easy to introduce vulnerabilities like XSS, CSRF or Clickjacking.
Because HTTP is an extensible protocol browsers have pioneered some useful headers to prevent or increase the difficulty of exploiting these vulnerabilities. Knowing what they are and when to apply them can help you increase the security of your system.
[Hat tip to Thomas Gumz for sharing this]
Just received an email from Apple regarding the Apple Developer site outage: